cancel
Showing results for 
Search instead for 
Did you mean: 

Tracking e-mail source

Community Veteran
Posts: 7,920
Thanks: 597
Fixes: 8
Registered: 02-08-2007

Tracking e-mail source

Is there any way of tracking an e-mail source as I keep getting an invoice from some school in America with an attachment which I have no intention of opening.
The email address is shown as, notifications@rapidtuition.com but a query sent to that e-mail address comes back as not having been found.
The invoice which looks fairly professional says that a specific number of dollars will be coming out of my account on a specific date but the bank details shown are clearly not mine.
I cannot make out if this is some sort of scam to get me to open an attachment or if it is a genuine e mail sent to the wrong person ?
Anyone any thoughts ?
16 REPLIES
jab1
Seasoned Pro
Posts: 1,495
Thanks: 264
Fixes: 5
Registered: 24-02-2012

Re: Tracking e-mail source

It is a pure and simple scam, but if you want to trace the true source of the email,you could use a ip look-up service, such as http://www.ip-adress.com/
HTH
John
Moderator
Moderator
Posts: 16,561
Thanks: 1,801
Fixes: 125
Registered: 06-04-2007

Re: Tracking e-mail source

I would treat as spam irrespective of whether it is or isn't and just delete it.

Forum Moderator and Customer
Courage is resistance to fear, mastery of fear, not absence of fear - Mark Twain
He who feared he would not succeed sat still

sjptd
Grafter
Posts: 467
Registered: 01-09-2014

Re: Tracking e-mail source

You should be able to view the email headers that will give you a much better idea of where it came from.  How to do that depends a lot on how you read your emails.  Still often difficult to make sense of the headers often.
I have an 'obvious' gmail address that many people with the same name fill in as theirs in various places.  I get a few genuine wrong emails a month as a result; I try to respond to them where there is enough information.  If it is not easy I just give up, and I certainly don't open attachments.  It sounds as if you have done as much as you reasonably can; I'd just delete it.
Community Veteran
Posts: 5,322
Thanks: 467
Fixes: 1
Registered: 21-03-2011

Re: Tracking e-mail source

Set your email filters to automatically delete any email from that source.
Now Zen, but a +Net residue.
Community Veteran
Posts: 2,284
Thanks: 219
Fixes: 1
Registered: 04-08-2009

Re: Tracking e-mail source

Use this link to check how to view email headers (depending on your email client).
https://www.arclab.com/en/amlc/how-to-read-and-analyze-the-email-header-fields-spf-dkim.html
Then look at the analysis method lower down the link.
Community Gaffer
Community Gaffer
Posts: 12,861
Thanks: 677
Fixes: 64
Registered: 04-04-2007

Re: Tracking e-mail source

Quote from: gleneagles
The email address is shown as, notifications@rapidtuition.com but a query sent to that e-mail address comes back as not having been found.

It will. That domain has no MX records so there's nowhere to deliver the mail:
~$ dig rapidtuition.com mx
; <<>> DiG 9.3.4-P1.2 <<>> rapidtuition.com mx
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45762
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;rapidtuition.com.              IN      MX

Bob Pullen
Plusnet Products Team
If I've been helpful then please give thanks ⤵

Community Veteran
Posts: 4,919
Thanks: 341
Fixes: 16
Registered: 10-06-2010

Re: Tracking e-mail source

It does now:
;; QUESTION SECTION:
;rapidtuition.com. IN MX
;; ANSWER SECTION:
rapidtuition.com. 3600 IN MX 10 ASPMX.L.GOOGLE.com.
rapidtuition.com. 3600 IN MX 20 ALT1.ASPMX.L.GOOGLE.com.
rapidtuition.com. 3600 IN MX 20 ALT2.ASPMX.L.GOOGLE.com.
rapidtuition.com. 3600 IN MX 30 ASPMX2.GOOGLEMAIL.com.
rapidtuition.com. 3600 IN MX 30 ASPMX3.GOOGLEMAIL.com.
rapidtuition.com. 3600 IN MX 30 ASPMX4.GOOGLEMAIL.com.
rapidtuition.com. 3600 IN MX 30 ASPMX5.GOOGLEMAIL.com.
rapidtuition.com. 3600 IN MX 40 mail.rapidtuition.com.
Community Gaffer
Community Gaffer
Posts: 12,861
Thanks: 677
Fixes: 64
Registered: 04-04-2007

Re: Tracking e-mail source

Ah, it was because I was using our internal DNS platform for the lookup. I get the same as you if I try another resolver Roll eyes

Bob Pullen
Plusnet Products Team
If I've been helpful then please give thanks ⤵

nanotm
Pro
Posts: 5,674
Thanks: 109
Fixes: 1
Registered: 11-02-2013

Re: Tracking e-mail source

Quote from: gleneagles
Is there any way of tracking an e-mail source as I keep getting an invoice from some school in America with an attachment which I have no intention of opening.
The email address is shown as, notifications@rapidtuition.com but a query sent to that e-mail address comes back as not having been found.
The invoice which looks fairly professional says that a specific number of dollars will be coming out of my account on a specific date but the bank details shown are clearly not mine.
I cannot make out if this is some sort of scam to get me to open an attachment or if it is a genuine e mail sent to the wrong person ?
Anyone any thoughts ?


if you use Hotmail (outlook.com) then you can right click the mail message and select view source (opens in a new tab)  and the top of the email will give you the source information in a fairly easy to read format, see quote for the sort of info you get (yes I changed the email details)
if you like I can get one of the many phishing scam attempts I receive later and do the same as well (just deleted the most recent batch 20 mins ago)  for comparison

Quote
x-store-info:J++/JTCzmObr++wNraA4Pa4f5Xd6uenss1zcyrLyprV+OF5B+8QtunnxM6FkvKb2LOendxvXf9uelqZ1U4XAYDqX40q5mk53PaIMxhu4rkQEsKfMwjdnemFsJjcXMF3NPrIrsbc3INk=
Authentication-Results: hotmail.com; spf=pass (sender IP is 89.207.48.212; identity alignment result is pass and alignment mode is relaxed) smtp.mailfrom=yourdelivery@dpd.co.uk; dkim=pass (testing mode; identity alignment result is pass and alignment mode is relaxed) header.d=dpd.co.uk; x-hmca=pass header.id=yourdelivery@dpd.co.uk
X-SID-PRA: yourdelivery@dpd.co.uk
X-AUTH-Result: PASS
X-SID-Result: PASS
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTE7YT0xO0Q9MTtHRD0xO1NDTD0w
X-Message-Info: NhFq/7gR1vTNbxKK9BIiBGzqBEpN1YG2lXeIZJjg6H3NZFIorXu165U9fP88a8xDolsGYaElAY0RwPUc/i5xiX2oHjSfYwdL/0TEgE86WCGvm7m7kTx30JOrsqAohYNzUPzzfV8GHK9Tx82/qvUHbnmoje+yzBpGVby7BeC9azJPOjYDqEYSovOKLCfDEFLi4vtCb7Ju17ZxQYyTnhyGV06m8RCdvrgt
Received: from outbound03.geopostuk.com ([89.207.48.212]) by SNT004-MC4F13.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.22751);
Wed, 3 Dec 2014 01:20:34 -0800
Received: from geopostuk.com (unknown [172.24.82.109])
by outbound03.geopostuk.com (Postfix) with ESMTPS id 4F3C4A290B
for <XXXX@HOTMAIL.COM>; Wed,  3 Dec 2014 09:20:32 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dpd.co.uk;
s=relay2013a; t=1417598432;
bh=FP4oPVwUm2ex37AcgGnMfObYQ8viu/RdDcSpOQu52q0=;
h=Date:To:Subject:From:From;
b=eo91WpHyLjRGNUQvtJ6MKwySBToSI5FdCJCis6wmVuGloGGLlpQP0U9cKsF3gljhu
Dfl45QrEmD4aRaUAc+iE6neEj5rLgOaCfvZ3WidZrveErr/53VL+ia1Wi/lhNhCDUu
oy7imHi7TULwmhYxseUR6hJmVLY8uuw6vU95/NdQ=
Received: (from geopost@localhost)
by geopostuk.com (8.14.7+Sun/8.14.5/Submit) id sB39KWoR019877;
Wed, 3 Dec 2014 09:20:32 GMT
Date: Wed, 3 Dec 2014 09:20:32 GMT
Message-Id: <201412030920.sB39KWoR019877@geopostuk.com>
X-Authentication-Warning: uvdata.live.geopostuk.com: geopost set sender to AMAZON <yourdelivery@dpd.co.uk> using -f
To: XXXX@HOTMAIL.COM
Subject: Your AMAZON order will be delivered today between 10:24-11:24
From: AMAZON <yourdelivery@dpd.co.uk>
Content-Type: multipart/related;
boundary="------------090303020209010600070908"
Return-Path: yourdelivery@dpd.co.uk
X-OriginalArrivalTime: 03 Dec 2014 09:20:34.0680 (UTC) FILETIME=[64939F80:01D00EDA]
just because your paranoid doesn't mean they aren't out to get you
nanotm
Pro
Posts: 5,674
Thanks: 109
Fixes: 1
Registered: 11-02-2013

Re: Tracking e-mail source

heres a spoofed email
Quote
x-store-info:4r51+eLowCe79NzwdU2kR3P+ctWZsO+J
Authentication-Results: hotmail.com; spf=none (sender IP is 85.25.207.33) smtp.mailfrom=tmn@loft9641.serverprofi24.com; dkim=none header.d=servicemaster.com; x-hmca=none header.id=noreply@servicemaster.com
X-SID-PRA: noreply@servicemaster.com
X-AUTH-Result: NONE
X-SID-Result: NONE
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtHRD0yO1NDTD02
X-Message-Info: 11chDOWqoTlsa6RbNry/7B6vHozkVqdVKhcPneEPOnwaPJ0El42r9y29w6BfB0IgmBDHdIZtKQPaqfxupclpc9gb/P86kvqouI1ZjpBxX8u7ILV0PMw1RgcIRZ0o5RqgyCGNGRes7vSslOLVbtNfpLfhAh8qcuuhjgB4w8JQ0mADyUAo/NPw/Iv6uRYhOJ0NVI/HAGvGoBynci0RN+Kc/ixXytzZAqQI
Received: from loft9641.serverprofi24.com ([85.25.207.33]) by COL004-MC2F26.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.22751);
Wed, 10 Dec 2014 00:09:47 -0800
Received: from tmn by loft9641.serverprofi24.com with local (Exim 4.84)
(envelope-from <tmn@loft9641.serverprofi24.com>)
id 1XycLB-0001o2-F1
for XXXX@hotmail.com; Wed, 10 Dec 2014 09:09:45 +0100
To: XXXX@hotmail.com
Subject: Please Verify Your Account
X-PHP-Script: the-media-network.com/wp.php for 197.6.43.164
From: Amazon Service <noreply@servicemaster.com>
MIME-Version: 1.0
Content-Type: text/html
Message-Id: <E1XycLB-0001o2-F1@loft9641.serverprofi24.com>
Date: Wed, 10 Dec 2014 09:09:45 +0100
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - loft9641.serverprofi24.com
X-AntiAbuse: Original Domain - hotmail.com
X-AntiAbuse: Originator/Caller UID/GID - [508 519] / [47 12]
X-AntiAbuse: Sender Address Domain - loft9641.serverprofi24.com
X-Get-Message-Sender-Via: loft9641.serverprofi24.com: authenticated_id: tmn/only user confirmed/virtual account not confirmed
Return-Path: tmn@loft9641.serverprofi24.com
X-OriginalArrivalTime: 10 Dec 2014 08:09:48.0340 (UTC) FILETIME=[AA73CF40:01D01450]

slightly worrying though as it purports to be from amazon  and a lot of people will undoubtedly click the link and try to login through the fake website /
just because your paranoid doesn't mean they aren't out to get you
Community Gaffer
Community Gaffer
Posts: 12,861
Thanks: 677
Fixes: 64
Registered: 04-04-2007

Re: Tracking e-mail source

Looks to have been sent from a genuine mail server rather than a botnet:
~$ telnet loft9641.serverprofi24.com 25
Trying 85.25.207.33...
Connected to 85.25.207.33.
Escape character is '^]'.
220-loft9641.serverprofi24.com ESMTP Exim 4.84 #2 Wed, 10 Dec 2014 11:42:49 +0100
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.

Looking at the whois details, it /could/ be a genuine company and they might be unwittingly sending this junk out. They may be some merit in filing an abuse report with the registrar and hosting provider: domain-abuse@psi-usa.info and abuse@plusserver.de respectively.
~$ whois serverprofi24.com
[Querying whois.internic.net]
[Redirected to whois.psi-usa.info]
[Querying whois.psi-usa.info]
[whois.psi-usa.info]
Domain Name: serverprofi24.com
Registry Domain ID: 1852584919_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.psi-usa.info
Registrar URL: http://www.psi-usa.info
Updated Date: 2014-12-07T12:12:56Z
Creation Date: 2014-03-30T05:15:52Z
Registrar Registration Expiration Date: 2015-03-30T05:15:53Z
Registrar: PSI-USA, Inc. dba Domain Robot
Registrar IANA ID: 151
Registrar Abuse Contact Email: domain-abuse@psi-usa.info
Registrar Abuse Contact Phone: +49.94159559482
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: PlusServer AG
Registrant Organization: PlusServer AG
Registrant Street: Daimlerstrasse 9 - 11
Registrant City: Hürth
Registrant State/Province: Nordrhein-Westfalen
Registrant Postal Code: 50354
Registrant Country: DE
Registrant Phone: +49.22336120
Registrant Phone Ext:
Registrant Fax: +49.22336125146
Registrant Fax Ext:
Registrant Email: domainadmin@plusserver.de
Registry Admin ID:
Admin Name: Thomas Strohe
Admin Organization: PlusServer AG
Admin Street: Daimlerstrasse 9 - 11
Admin City: Hürth
Admin State/Province: DE
Admin Postal Code: 50354
Admin Country: DE
Admin Phone: +49.22336120
Admin Phone Ext:
Admin Fax: +49.22336125146
Admin Fax Ext:
Admin Email: domainadmin@plusserver.de
Registry Tech ID:
Tech Name: Hostmaster intergenia AG
Tech Organization:
Tech Street: Daimlerstrasse 9-11
Tech City: Huerth
Tech State/Province: NRW
Tech Postal Code: 50354
Tech Country: DE
Tech Phone: +49.22336120
Tech Phone Ext:
Tech Fax: +49.22336125146
Tech Fax Ext:
Tech Email: domains@domains.intergenia.de
Name Server: ns5.nameserverservice.de
Name Server: ns6.nameserverservice.de
DNSSEC: Unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

Bob Pullen
Plusnet Products Team
If I've been helpful then please give thanks ⤵

nanotm
Pro
Posts: 5,674
Thanks: 109
Fixes: 1
Registered: 11-02-2013

Re: Tracking e-mail source

I forwarded the email to amazon's spoofing department and clicked the msn report button, hopefully they will inform the relevant mail provider, unfortunately clicking the msn report button removes the mail from the account so its not possible for me to send it on to them now /
just because your paranoid doesn't mean they aren't out to get you
Community Veteran
Posts: 13,923
Thanks: 515
Fixes: 7
Registered: 01-08-2007

Re: Tracking e-mail source

Why? Because it says: From: Amazon Service <noreply@servicemaster.com> Huh
No email address in those headers mentions amazon, only in the fron line does it say Amazon Service. Anyone who believes it's actually from amazon with a domain of servicemaster.com is worthy of a darwin award. The domains aren't even similar in the slightest.
As for forwarding to amazon, thats rather pointless.. what can they honestly do? Nothing.
I need a new signature... i'm bored of the old one!
nanotm
Pro
Posts: 5,674
Thanks: 109
Fixes: 1
Registered: 11-02-2013

Re: Tracking e-mail source

you don't see the domain its sent from in a standard email header it says "amazon" in the from box,
the link in the email takes you to a mock up of the amazon login screen and the browser tells you the site is secure (padlock icon) and the displayed name in the address bar is amazon.com (I know because I checked that), amazon can actually do something about it like sending out an email to all their customers warning of the spoof email (anyone on a tablet is likely to be duped as they don't have the advanced view options available to pc users) and allow them to take corrective action should they have inadvertently exposed their details, additionally amazon can send out cease and desist notices, contact the mail provider and domain provider, have them listed by the various safe search providers as blocked url's and so on, they know who to contact and are far more likely to be believed than an individual who makes such a report, never mind the law enforcement and legal options they can bring to bear around the world to have the perpetrators locked up, again not something the average citizen can do (even on the off chance such a report is acted on)
I've had a reply from amazon customer services telling me the spoofed email was indeed spoofed and there taking action to protect customers, which will probably be nothing more than making people go through an extra step to login if there not using the normal home computer .....

you might not see the point in reporting something to the company that's being spoofed but they do as do many others since its their reputation on the line
just because your paranoid doesn't mean they aren't out to get you